Survey on email

management
Approaches to security and compliance
in the finance industry
Contents
Introduction 3
Methodology 4
Summary 5
Main Findings 6
Significant issues 6
Biggest challenges 7
Global vs. local control 8
Number of suppliers 8
Benefits of a single management point 8
Email interaction with customers 9
Cost of message management 10
Governance and compliance 12
Conclusion 14
Contacts 15

2 Survey on email management

Introduction

Email is now the foundation of business communication, replacing paper and voice
as the most critical single element of the corporate communications infrastructure.
Recent years have seen an exponential growth in the amount of information flowing
through electronic communication channels.

Email and other electronic messaging, such as instant messaging (IM) and text
messaging (SMS), are now considered a viable medium for taking orders, sending
approvals and contracts, and discussing sensitive financial issues. As financial
services organisations open up their networks to clients and partners, they are being
forced to take the threat of spam, virus and denial of service attacks seriously to
avoid any disruption to their business. In the wake of complex corporate failures such
as Enron, WorldCom and Parmalat, they are also coming under increasing pressure
from regulators to maintain archives of all communications.

But how are large organisations managing these challenges? This was the overall
question set by this survey, conducted by MORI on behalf of BT, which sought clear
and unbiased feedback from leading financial services companies across the UK,
US and Europe.

Firstly, the survey established the profile of the interviewees, ensuring that respondents
had responsibility for contributing to strategic decisions about message management.
Respondents tended to be from large organisations, with 25 per cent claiming more
than 15,000 employees worldwide. These include names such as AIG, Barclays Bank,
Société Générale and Swiss Life.

Major challenges
The survey considered the major issues in email message management that
organisations face today, and asked them to predict how the cost and significance
of these issues will change in the coming years. It then sought to discover how the
message management infrastructure is currently organised, and identify areas where
respondents thought this could be improved to meet future needs.

In particular, the survey examined the major challenges around security and
compliance, and sought to identify where organisations’ priorities lie in terms of
budget growth and allocation. The link between security and compliance was also
examined, in addition to organisations’ readiness to meet requests from regulators
for access to archived communications.

The results make important reading for any senior manager involved in strategic
decisions about message management. It reveals differences in focus in the countries
surveyed, and illustrates the key role that a secure messaging infrastructure plays in
today’s financial organisations.

The following document provides important insights into the survey results.

Survey on email management 3

 Methodology

This research was conducted by MORI on behalf of BT. One hundred and twelve
interviews were conducted within retail and wholesale banks, insurance companies,
investment managers and building societies. Interviews addressed a representative
sample of organisations in the UK, US, France, Germany and the Netherlands.

UK US France Germany Netherlands TOTAL

Banking 10 19 16 10 5 60

Insurance 8 5 4 8 4 29

Investment 2 2 1 2 0 7
management
All 4 0 0 0 0 4

Other 1 5 0 0 0 6

Don’t know/refused 5 0 0 0 1 6

TOTAL 30 31 21 20 10 112

Of the 112 respondents, 79 had responsibility within the IT side of the business,
and 33 worked in the areas of risk and compliance. MORI interviewed senior staff
with responsibility for IT, with job titles including CIO, systems director and IT
director. Managers responsible for operations and risk management were also
interviewed, and job titles in these areas included head of compliance and head
of risk.

Some questions were asked of both IT and risk groups, while others were specific
to one.

Within the 112, 89 respondents worked for organisations that had some level of
retail finance business, and several questions were asked just of this segment.

On certain questions, the responses do not add up exactly to 100 per cent due to
rounding or the fact that multiple responses were allowed.

Fieldwork
Fieldwork and data processing was carried out at the end of 2004. All interviews
were conducted by telephone using CATI (Computer Assisted Telephone
Interviewing). No financial incentives were offered to respondents, only a copy
of the final published findings.

4 Survey on email management

Summary

• The survey looks at issues impacting on message management that can be

categorised as either controlled or uncontrolled. The uncontrolled category is
about reacting to external threats, which may or may not be experienced by
the organisation. Viruses, spam, hacking and phishing all fall into this area.
The controlled category is about an organisation making changes internally
in response to set regulation or best practice. This survey reveals that both
categories are crucial to successful message management, but there are
geographic differences in the prioritisation of issues.

• Of the external threats that financial organisations face, viruses are still seen
as the most potentially damaging, and are rated as a more significant issue
than spam, hacking and phishing. This is expected to still be the case in three
years’ time.

• Across the different countries surveyed, France is the most focused on security
concerns such as viruses and boundary protection, while the UK and US are most
concerned about archiving and compliance issues.

• Most organisations use multiple suppliers of software and services to support

their messaging environments. Despite this, having a single point for management
is seen as beneficial, mainly in having a single user interface for management,
and also in the policy setting for individuals and groups.

• Most organisations don’t know the total cost of ownership (TCO) of their current
messaging environment, which is probably a reflection of the complexity of
measuring an environment that spans all parts of the business. Success is likely
to be seen as the absence of failures and attacks that damage the business.

• The largest budget increases related to message management across all countries
except France will be in the areas of archiving and compliance. Although this will
include an element of security, storage and retrieval are the most crucial areas for
development.

• For the majority of retail finance respondents, email is already an important tool for
interacting with customers. They would like to use this communication channel
more if security and authentication concerns can be addressed.

“Particularly with viruses and

spam, a centralised
management shortens the line
of communication and makes
it easier to get a definite
answer. Hence it’s possible to
react faster to threats.”
– Germany

Survey on email management 5

 Main findings

Significant issues
Viruses are considered the most significant issue that organisations face in managing
their messaging environment, with 86 per cent of respondents saying this was a
significant issue. Interestingly, even phishing attacks, which have mainly targeted
the most prominent retail banks to date, were considered a significant issue by 60
per cent of respondents. This is probably due to rising press coverage of the threat,
and associated reputational risk issues.

“Identification and storage
of what we need to archive
is a challenge. Most of what
we receive is garbage, and
we don’t want to have to
save everything.”
– UK
“Our main challenges are
to ensure availability and
Looking at the geographic breakdown for ratings on the significance of these issues
illustrates some interesting trends that are borne out in the results of subsequent
sections.
Ninety per cent of UK respondents rated archiving as a significant issue today.
This result can be associated with that country’s Financial Services Authority (FSA)
and its regulatory agenda, together with the close linkages to US firms who have
already been forced to address this issue by the Securities and Exchange Commission
(SEC). This compares to the 60 per cent of Dutch and 67 per cent of French
respondents who thought this issue significant.
Q1a. How significant do you think each of the following issues is for your organisation now?

integrity of mails as well Very Fairly Not very Not at all Don’t know

as to make sure that Spam 31 40 21 6 2

Viruses 70 16 9 5 0
those mails aren’t
Hacking 51 18 21 7 3
distorted during the
Phishing 32 28 26 11 4
transfer from one person Archiving 54 23 16 4 2
to another one.” Mailbox management 39 37 16 4 4
– France Base: All respondents (112) %

Q1b. How do you see the significance of these issues changing for your organisation
in three years’ time?

Much more Little more Little less Much less Same Don’t know
Spam 39 16 8 6 26 4
Viruses 42 22 4 2 28 3
Hacking 32 21 5 3 33 5
Phishing 30 22 7 3 29 8
Archiving 33 23 11 4 29 1
Mailbox management 28 26 9 3 30 4
Base: All respondents (112) %

Q1c. How well prepared do you think your organisation is to meet the challenges
of mailbox management?

Very Fairly Not very Not at all Don’t know

UK 27 63 7 0 3
USA 32 58 3 0 6
France 48 43 5 0 5
Germany 5 50 30 5 10
Netherlands 60 20 20 0 0
Base: All respondents (112) %

6 Survey on email management

Looking at how this significance is expected to change, 90 per cent of French respondents
thought that viruses will be more of an issue in coming years, as opposed to just 57 per
cent of UK and 40 per cent of Dutch respondents. The French focus on security in
general and viruses in particular is another recurring theme of this survey.

On the subject of preparedness for dealing with mailbox management challenges,

German respondents were the least confident, with 35 per cent considering themselves
ill-prepared. Institutions in France, the UK and US were the most confident, all with 90
per cent believing they are well positioned to cope with any challenges.

Biggest challenges
This was an open-ended question and not surprisingly, given the wide range
of internal and external threats that organisations face, security tops the list of
challenges for IT respondents, followed closely by archiving.

Again, archiving and security are the two areas with the largest geographical differences.
Only six per cent of French respondents considered archiving a challenge, as opposed to
41 per cent of UK and 50 per cent of Dutch respondents. On the flipside, 61 per cent of
those representing organisations in France thought security was challenging, compared
to 18 per cent of US and zero Dutch respondents.

Other challenges identified as a result of these questions include efficiency, productivity

and rationalising solutions. Nine per cent of those surveyed thought they faced no
challenges in message management, which either indicates a high degree of sophistication
and preparedness, or complacency about the issues identified in question 1.

In a separate question, 81 per cent of respondents agreed with the following statement:
The threat of ‘email anarchy’ and escalating costs is real for those companies who do
not address their message management correctly.

Q2. What are the biggest challenges for your organisation in message management?

Security 30%

Archiving 28%

Email 18%
“Archiving is an open question for us,
Accessibility/availability 5% we know what we want to do but the
Other 25% technical implementation will be a
Don’t know 5% challenge, i.e. how in detail we will
None 9% set everything up to satisfy strategy
Base: All IT respondents (79) % and cost-factors. We will also in the
near future harmonise the
messaging systems to prevent a cost
increase in the long-term. Again,
the real technical implementation
will be a challenge.”
– Germany

Survey on email management 7

 Main findings

Q3. Are the following areas managed primarily at a global level (i.e. decisions are taken
strategically from head office and implemented consistently across the company network)
or at a local level (i.e decisions are taken locally or regionally on a case-by-case basis)?

Boundary protection (e.g. anti-spam/virus/content control) 75% 22% 4%

Secure messaging (e.g. phishing/hacking/B2B and BC2 emails) 70% 29% 1%

Compliance (e.g. regulatory archiving/audit trail) 70% 27% 4%

Mailbox management (e.g. hosting/DR/Exchange migration) 53% 44% 3%

Global Local Don’t know

Base: All IT respondents (79) %

Global vs. local control

In all the areas identified, the majority of organisations have centralised management
at a global head-office level. Taking France out of the equation, the trend towards
centralised management is even stronger. In each area, the majority of French
respondents said responsibility for decisions and management resided at a local level.
As the organisations surveyed in France comprised both French companies and local
subsidiaries of global firms, this irregularity cannot be explained just in terms of a
unique French approach to organisational structure.

Number of suppliers
Although this question didn’t specify the full scope of messaging areas, from general
email applications through to boundary protection and archiving and retrieval,
the majority of respondents, 51 per cent, admitted to using more than one supplier.
Almost one in five (19 per cent) use more than four. US-based organisations use
the most with 55 per cent having three or more suppliers. German organisations
use the least with 78 per cent having only one supplier.

Benefits of a single management point

Having a single user interface for all messaging systems and simplified implementation
of policies for individuals or groups of users were seen as the major benefits from having
a single management point. Other benefits mentioned by survey respondents include
central administration and management, lower cost of control, and increased speed of
response to incidents. It is interesting to note that 28 per cent of those surveyed in
France considered remote management as a key benefit, and this probably relates to
the less centralised management structure identified in question 3.

Q4. How many suppliers do you use Q5. What would you see as the key benefits of having a single management point for your
for messaging solutions? messaging systems?

Simplified implementation of policies for

individuals or groups of users 24%
10%
Single user interface for all messaging systems 22%

Remote access to single management interface 11%

19% 38%
Centralised administration 9%

Control 4%

16% None 14%

16%
Other 35%
Base: All IT respondents (79) %

1 4 or more
2 Don’t know
3 Base: All IT respondents (79)

8 Survey on email management

Email interaction with customers Q6. Considering your current interaction with
Among the majority of respondents whose organisations operate in the retail customers (business and individuals) via
financial sector, email is already an important tool for communicating with email, would you like this interaction to
increase, decrease or stay the same over
customers, and its use is likely to increase if the security and authentication the next three years?
concerns can be addressed.
3 22
Across all respondents, 60 per cent are looking for some increase in customer
interaction via email. But it is interesting to note the geographical differences for
this question. In the US, only 43 per cent of respondents are seeking more use of 36%
this channel, which is perhaps a reflection of the maturity of internet banking and 33%
the existing use of e-statements in that market. In Germany though, 77 per cent
of respondents want to do more in this area, indicating that this is a relatively
untapped channel. 24%

The majority of all respondents want to increase use of email for almost all the listed
purposes, but a significant number – 72 per cent – believe that security is the biggest
Increase a lot
deterrent to realising their ambitions. This highlights the need for a more secure
Increase a little
email infrastructure that is capable of integrating with other bank systems and Stay the same
delivering information to customers in a trustworthy manner. Decrease a little
Decrease a lot
Don’t know
Q7. Which of the following would you like to do more with customers by email?
Base: All retail respondents (89)
Day-to-day contact 55%
Statement provision 54%

Application form provision 53%

Contract provision 51%

Quotes provision 49%

None of these 17%

Base: All retail respondents (89) %

Q8. Which, if any, of the following would you say are significant deterrents to
increased customer interaction by email?

Security (e.g. hacking) 72%

Authentication (e.g. online fraud) 65%

Viruses 57%

Compliance 47%

Archiving (recovering 30%

information efficiently)
Non of these
Base: All retail respondents (89)
7% “Particularly with viruses
% and spam, a centralised
management shortens the
line of communication
and makes it easier to get
a definite answer. Hence
it’s possible to react
faster to threats.”
– Germany

Survey on email management 9

 Main findings

Cost of message management

Outsourcing of message management processes and infrastructure is still in its
infancy, but the survey shows that it can deliver cost benefits. An interesting difference
in the ongoing cost of mailbox management can be seen when comparing those who
outsource some or all of their message management – including those who would
consider outsourcing in the future – and those who don’t. More than twice as many
respondents who outsource, or would potentially outsource, expect costs for message
management to decrease, at 26 per cent, compared to only 10 per cent of those who
plan to keep the solutions in-house.

Q9. Which of the following messaging processes or systems do you currently outsource?

Boundary protection 18%

Secure messaging 19%

Compliance 13%

Mailbox management 15%

Base: All IT respondents (79) %

The cost of administering the messaging infrastructure is most likely to increase in the
area of compliance, according to 65 per cent of all respondents. Particularly in the
Netherlands and US, costs are predicted to rise in this area, with 75 per cent and 73
per cent respectively predicting compliance will become more expensive. France (67
per cent) and the UK (65 per cent) also expect compliance costs to rise, with only
Germany lagging behind the average with 50 per cent.

In line with the security focus identified in earlier questions, the highest response for
costs increasing in relation to boundary protection came from those surveyed in
France, at 78 per cent, followed closely by the Netherlands with 75 per cent. In the UK,
only 29 per cent expected costs in this area to rise.

Expected costs and budget allocation normally align quite closely, although this isn’t
always the case, as sometimes costs can be borne out over several budget cycles. But
in this case, compliance cost increases and budget increases would look to be broadly
in alignment. This is particularly the case in those countries that have previously been
identified as being concerned about compliance issues. Forty one per cent of UK and
55 per cent of US respondents will be spending more on compliance, as opposed to
only 11 per cent of German respondents. France is the odd country out with only six
per cent planning to increase compliance budgets, despite 67 per cent believing the
cost of compliance is likely to rise.

In the area of secure messaging, many more French and Germans expected budget
rises than their UK, US and Dutch counterparts.

10 Survey on email management

Q10. How do you expect the costs of administering each of the following areas to increase or Q11. Of those four areas, where do you think
decrease over the next three years? will be the single biggest budget increase?

Incr. lot Incr. little Decr. little decr. lot Same Don’t know
Boundary protection 20 34 13 1 24 8
14%
Secure messaging 25 38 9 3 22 4
29%
Compliance 29 35 4 3 22 8
Mailbox management 18 34 13 4 30 1 19%
Base: All IT respondents (79) %
19%
19%

Given the cost cutting exercises that many banks have gone through in the past few
years, and the pressure on managers to demonstrate return on investment (ROI) and
total cost of ownership (TCO) for technology investment, the results for question 12 Compliance
might seem surprising. Boundary protection
Secure messaging
Seventy seven per cent of all respondents don’t know the TCO for their current Mailbox management
message management services, and this percentage was even higher – 89 per cent – Don’t know
in both France and Germany. This is possibly due to the complex nature of the Base: All IT respondents (79)
messaging infrastructure and the fact it touches every line of business and support
department. As well as specific messaging applications, the infrastructure also
requires associated investment in hardware and ongoing maintenance and support. Q12. Do you accurately know the total cost
of ownership (TCO) for your current
message management services?
In the majority of cases where TCO has not been calculated, it is likely that reliability
and invulnerability – the lack of attacks and failures – are seen as the measuring stick
for success or otherwise of any investment in the messaging infrastructure.
23%

77%

Yes
No
Base: All IT respondents (79)

Survey on email management 11


“Governance compliance
and regulatory
pressures are making us
manage our messaging
environments better.
There is governance
around what we can
and can’t do, and this is
having a positive
impact in making us
more efficient.”
– US
12 Survey on email management
Main findings
Governance and compliance
Although an increased focus on security was seen as the biggest issue arising from
regulatory compliance, the results from respondents indicate there is not a great deal
of consensus on any single impact. This could arise from the different regulations faced
by financial organisations in the markets in which they operate. It could also arise from
confusion in the market about the implications of specific items of legislation.
IT governance includes activities such as providing clear audit trails and effective
archiving in order to meet organisation compliance and governance regulations.
Only 25 per cent of German respondents expect a significant increase in IT governance
costs, as opposed to a group average of 56 per cent. The UK came in highest here,
with 70 per cent. Costs rise in relation to what needs to be undertaken to help the
organisation achieve compliance and best practice, so this indicates that there is still a
lot of work to be done.
The retrieval aspect of the archiving required by legislation is often ignored. But simply
having all relevant information and communications stored somewhere is not enough
to achieve compliance. Organisations need to be able to access the required
information in a timely fashion in response to requests, or risk a fine.
Forty-eight hours is the usual turnaround time for requests from the US Securities and
Exchange Commission (SEC), and while many other regulators haven’t specifically set
such timeframes, it is a useful benchmark for analysing an organisation’s archiving and
retrieval capabilities.
Q13. What impacts do you think compliance will have on your message infrastructure?
Increased focus on security 30%
Increased costs 22%
Improved archiving 21%
Advanced search/retrieval capability 8%
High impact 6%
Authentication 5%
More difficult 2%
Improve standards 2%
Pre-scanning for dangerous word combinations 1%
Little impact 1%
Other 14%
Don’t know/no answer 7%
Base: All IT respondents (79) %
Not surprisingly, given the SEC’s enthusiasm in enforcing compliance through the
Q14. How significant do you expect any
threat of large fines in recent years, the US is the most confident, with 81 per cent increases in IT governence costs to be
saying they could meet a request if it wasn’t necessarily within 48 hours. Germany for your organisation?
achieved the lowest score on this count, with just 60 per cent of respondents
confident they could meet a request.
5 9% 13%
Those respondents that outsource some or all of their messaging infrastructure, or 4
3
would consider outsourcing in the future, are consistently more confident of meeting
regulatory request timeframes. Asked specifically about their confidence to meet the
requirement to provide three years’ audit trail within 48 hours, 63 per cent of those 23% 44%
who outsource were confident, whereas only 40 per cent of those that don’t
outsource could reply with confidence.

Q15. If you received a request from a regulatory body to provide an audit trail going back three
years, how confident would you be of retrieving all of the necessary information within Very significant
48 hours? And how confident would you be about retrieving the necessary information Fairly significant
at all (i.e. without a tight deadline)? Not very significant
Not at all significant
I don’t expect them to increase
16% I expect them to decrease
21% 23%
4% Don’t know
40% Base: All respondents (112)
10% 13%
26%
21% 28%

Within 48 hours At all

Very confident Very confident

Fairly confident Fairly confident
Not very confident Not very confident
Not at all confident Not at all confident
Don’t know Don’t know
Base: All respondents (112) Base: All respondents (112)

Survey on email management 13

 Conclusion

The respondents to this survey are all working for sophisticated organisations
that should have a pretty good grasp of the issues that arise when managing
crucial messaging environments for large, often global, financial institutions.
So if even small numbers of respondents to this survey claim to be having
problems with boundary protection, secure messaging and compliance,
there is cause for concern.

The methods used for hacking and the propagation of viruses and spam will continue
to evolve and become more sophisticated. So organisations are faced with a moving
target. They recognise the need for constant vigilance to guard against the threats,
and have subsequently placed a priority on dealing with these issues.

Compliance, on the other hand, is a relatively static challenge. Regulations and best
practice do periodically change and evolve, but each time they do, organisations
have an easily identifiable set of objectives to achieve. The challenge is how to achieve
these objectives.

But archiving and compliance still seem to be a bit of a blind spot for many
organisations. Although the focus on security and boundary protection is strong,
the expected increase in compliance budgets and lack of confidence in meeting
regulatory requests for access to archived communications shows that this is an area
that requires more work and focus, at least in the short term. Clearly though, the
SEC is leading the way, driving change in the US at a faster rate than the other
countries surveyed.

The number of those currently outsourcing aspects of message management shows

that the practice is in its infancy, but statistics about expected cost reductions and
increased ability to meet regulatory demands show that there are benefits to
adopting this model.

The lack of understanding of TCO in current messaging environments suggest that

organisations could benefit from looking more closely at how their organisation uses
the messaging infrastructure and which critical business areas it touches. Having a
single framework for message management is one way that the required visibility
and control can be achieved, and this will have further knock-on benefits when
addressing the security and compliance challenges organisations will continue
to face.

14 Survey on email management

Contacts

For more information,

please contact:
Chris Hughes
BT
Guidion House
Ancells Business Park
Fleet, Hampshire
GU51 2QP
United Kingdom

Tel: 07736 636 106

Email: chris.hughes@bt.com
www.btconsulting.com/financialservices

Survey on email management 15

About BT
BT is one of the world’s leading providers of communications solutions
serving customers in Europe, the Americas and Asia Pacific. Its principal
activities include IT and networking services, local, national and
international telecommunications services, and higher-value broadband
and internet products and services.

www.btconsulting.com/financialservices/mori

© British Telecommunications plc 2005. Registered Office: 81 Newgate Street, London, EC1A 7AJ.
Registered in England No 1800000.

Designed by Write Image Limited. Printed in England.